Networks such as communications networks, also called IT (information technology) infrastructures, are difficult to manage. Changing the network configuration, by changing topology, or adding a new machine or storage device, or changing attributes of such devices for example, are typically difficult manual tasks. This makes such changes expensive and error prone. It also means that the change can take several hours or days to take place, limiting the rate at which reconfiguration can take place to take account of changing business demands.
A physical IT infrastructure can have only one configuration at any one time. It may be used for multiple tasks, which should not interfere with each other. Such sharing can be between different owners (companies), or tasks or data belonging to the same owner but having differing priorities or sensitivities. For example, it has been proposed to use spare compute cycles on desktops and servers to perform large scale computations: grid applications. One problem is network security, in particular how to isolate the network traffic, the data storage and processing of these computations from other tasks using the same infrastructure. Without isolation undesirable interference between the tasks is likely to occur rendering such sharing an unacceptable risk.
In most physical IT infrastructure, resource utilization is very low: 15% is not an uncommon utilization for a server, 5% for a desktop. This provides impetus to share such IT infrastructure. HP's UDC (Utility Data Centre) is an example of how to manage such sharing, by automatic reconfiguration of physical infrastructure: processing machines, network and storage devices. This requires specialized hardware which makes it expensive. In addition in the UDC a physical machine can only ever be in a single physical infrastructure. This means that all programs running on that physical machine will be exposed to the same networking and storage environment: there is a risk they can interfere with each other and the configuration may not be optimal for all programs. Models of topologies of such shared networks can be built up by “network discovery” programs to facilitate network management.
Advanced, multi-customer, utility-style distributed systems will be deployed and managed, in an ever-changing dynamic business-driven environment, by making use of explicit systems descriptions, such as provided via languages and notations like CIM, SmartFrog, etc. These in turn embody various lightweight logical models of these systems. Since utility-style IT systems are developed to serve well-defined business functions, there are typically several valued information assets and services located with the system. Access to these valued resources should be restricted to entities having an accepted business need.
It is also known to provide model-based techniques for exploring the consequences of failures etc in communications networks and in other types of network such as manufacturing plants, product distribution chains, or utility distribution networks for example. Textbooks on Probability Risk Assessment give semantic network descriptions of plant. However, that is not the same thing as using the model to actively locate and explore the consequences of failures and malicious exploits of vulnerabilities for attack—typically, event and fault tree analyses are employed to do that.
It is known to provide automatic management of security policy in communications networks. Telcordia have deployed an agent based system for automatic configuration of firewalls to enforce security policies specifying that some machines should be connected and others should not be connected in a network having a dynamic topology. This involves using a model of the network topology which will be updated as the network topology is altered. The model includes information about the settings or configuration of security controls in the form of configurable firewalls at various places in the network. A drawback of this is that changes in network topology are not the only source of risk of compromises in security or isolation. Hence in practice the level of confidence provided by such a system is not high enough.
QuinetiQ have produced a network modelling tool for domain based security and compromise path analysis. This can compute compromise paths and produce tables for use by expert risk analysts. However, again it does not assess many types of risks to security including isolation, so again in practice the level of confidence provided by such a tool is not high enough.
Microsoft have announced a system definition model (SDM) which is used to create definitions of distributed systems. The distributed system is defined as a set of related software and hardware resources working together to accomplish a common function. Multitier line-of-business (LOB) applications, Web services, e-commerce sites, and enterprise data centers are examples of systems. Using SDM, businesses can create a live blueprint of an entire system including application services, hosts for such services, network topologies and underlying hardware. This blueprint can be created and manipulated with various software tools. It can be used to define system elements and capture data pertinent to development, deployment, and operations so that the data becomes relevant across the entire IT life cycle.